b'G:.O:"   U.S. GOVERNMENT\n         PRINTING OFFICE\n         KEEPING AMERICA INFORMED\n                                                         260& JUN -6 Hi 4: 15\n                                                                                   Bruce R. James\n                                                                                      Public Printer\n\n\n\n                                                             OFfiCE OF \'! I\'it\n                                                          INSPECTOR GENERAL\n\n         May 31, 2006\n\n\n         The Honorable Trent Lott\n         Chairman\n         Joint Committee on Printing\n         305 Russell Senate Office Building\n         Washington, DC 20510\n\n         Dear Mr. Chairman:\n\n         In accordance with 44 U.S.c. 3903 and the relevant provisions of the Inspector\n         General Act of 1978, as amended, I am transmitting to the Congress the\n         Semiannual Report of the Office of the Inspector General (OIG) for the U. S.\n         Government Printing Office (GPO), covering the 6 month period of October I,\n         2005, through March 31, 2006, along with the following information as required\n         by law. This letter meets my statutory obligation to provide comments on the\n         OIG\'s report and highlights management actions taken on the OIG\'s\n         recommendations, which may relate to more than one reporting period.\n\n         During this reporting period, I announced my intention to retire from my position\n         as Public Printer. Over the past three-plus years, I have instituted various changes\n         in how management addresses audit and inspection recommendations. These\n         changes have brought about an improved working relationship with the IG,\n         resulting in more prompt attention being devoted to closing recommendations and\n         improving operations at the same time. I am confident that the improved working\n         conditions will continue and that the next Public Printer will be able to work in a\n         very positive manner with the IG.\n\n         General Comments\n\n         As provided for by law, this section offers my general comments on the OIG\'s\n         semiannual report and operations.\n\n         I.        Management Challenges. The IG highlighted ten challenges facing\n                   GPO\'s management, all of which have validity and require continuous\n                   action. However, ovelTiding these challenges may be new ones\n                   envisioned by the next administration in GPO, The major organizational\n\n\n\n\n         732 North Capitol Street, NW   Washington, DC 20401-0001   202\xc2\xb7512-1000    bjames@gpo.gov\n\x0cThe Honorable Trent Lot! - Page 2\n\n\n      transfonnation that has been occurring over the past three years remains\n      critical to the future GPO. This effort must continue if the agency is to\n      remain a vital force in the 21" century digital information age. The pieces\n      have been put into place for the next generation of GPO employees.\n      Recruitment and training in the necessary knowledge and skills has begun.\n      New systems are also being acquired or developed, the most critical of\n      which is our Future Digital System (FDsys), that will preserve and provide\n      pennanent public access to Federal Govemment infonnation.\n\n       I do not take exception to any oflhe ten challenges offered by the IG,\n       since all of them are vital to GPO\'s continuous transfonnation. It is\n       critical that the next Public Printer incorporates all of these challenges\n       and that the current progress being made on each of them continues.\n       GPO cannot afford to reverse its course, if it expects to be at the cutting\n       edge of new technology and an industry leader in the digital age.\n\nII.    Audits and Inspections. During the reporting period, the OIG issued\n       four new audit and inspection reports with 44 recommendations to help\n       improve operational perfonnance. Management has concurred with all of\n       these recommendations and wi II be addressing each one in the ensuing\n       semiannual reporting period.\n\n          o    The first report, GPO Purchase Card Program Management\n               Controls, identified a number of areas to strengthen controls over\n               access to and use of purchase cards to ensure compliance with all\n               applicable laws, regulations, policies and procedures.\n\n          o    The second report, GPO Network Vulnerability Assessment,\n               highlighted vulnerability and associated risks that need to be\n               closely monitored to help protect GPO\'s infomlation technology\n               resources from unallthorized access and compromise.\n\n          o    The third report, GPO Oracle Program Stakeholder Analysis,\n               summarized vulnerabilities and associated risks and examined\n               stakeholder issues, concerns, and expectations, as well as program\n               integration, implementation, and execution issues.\n\n          IJ   The fourth report, Inspection of GPO\'s Continuity of Operations\n               Plan, identified areas where GPO has not sufficiently addressed\n               certain critical elements considered as best practices within the\n               federal goverriment regarding Federal Preparedness.\n\x0cThe Honorable Trent Lott - Page 3\n\n\n       Management intends to take action to address the remaining open\n       recommendations, but due to the nature of some, final action will not be\n       imminent. The OIG even recognized this fact in its Oracle Program\n       report, indicating that program management is currently in the early\n       stages of reevaluation and that the estimated completion date of\n       September 2007 simply coincided with the planned implementation of the\n       entire Oracle Program,\n\nIII.    Investigations, The investigative work performed by OIG\'s staff\n        protects against waste, fraud, and abuse. Their efforts once again merit\n        positive recognition, as a workers\' compensation case was accepted by\n        the Department of Justice (DOJ) for civil prosecution, after being\n        declined for criminal prosecution, In another case regarding a fraud\n        matter, the DOJ accepted it for civil prosecution, after also declining it\n        under criminal grounds, Other accomplishments, such as contractor\n        debarments and proposed debarments, are noteworthy of the value of the\n        OIG\'s investigative team in fighting waste, fraud, and abuse in the GPO\n        and its printing contractors,\n\n       Ajoint effort by the OIG\'s Inspections and Investigations groups\n       detemlined the frivolousness of allegations made in an anonymous letter\n       about activities within the operations of the Superintendent of Documents.\n        This effort concluded that there were no violations of any law, regulation,\n       or GPO instlUction, or would otherwise constitute substantial fraud, waste,\n       or abuse on the part of GPO or any of its employees.\n\nPrior Period Outstanding Recommendations\n\nAs required by law, this section summarizes management\'s planned action to\naddress remaining OIG\' s recommendations still outstanding from previous\nreporting periods,\n\n       GPO\'s Travel Program (Report No. 05-04, dated September 30, 2005)\n\nGPO\'s Chief Financial Officer made considerable progress in addressing the\nremaining open recommendations, Of the ten original recommendations, only\ntwo remain open at this time. Once GPO\'s offices of Customer Services and Chief\nFinancial Officer establish a notification system that tells when employees are in\ntravel status, the last two recommendations will be closed, Lacking information\nthat identifies which employees were authorized to travel for official business, the\nOffice of Finance and Administration has not been able to properly match the\nnames of employees on official travel with a monthly report of travel card usage\n\x0cThe Honorable Trent Lott     Page 4\n\n\nprovided by the Bank of America. We anticipate the new system being\noperational within the next semiannual reporting period.\n\n       Improving Controls over Contract Modifications in the Central Office\n       (Report No. 03-04, dated September 30, 2003)\n\nThe OIG\'s Report on Improving Controls Over Printing Procurement\nDepartment\'s Contract Modifications at Central Office, recommended that an\nautomated interface be developed to avoid the duplicative entry of the same\ncontract modification data into two different systems, one PC-based and one\nmainframe-based. This last recommendation requires additional time to\nimplement. However, in the interim, some system modifications, for items as\npaper price adjustments or economic price adjustments for a term contract have\nbeen achieved. We expect the overall requirements to be completed before the\nend 0[2006.\n\n       Blank Passport Product Integrity and Security (Report No. AI-0502,\n       dated March 31, 2005)\n\nThe report on the OIG\'s Blank Passport Product integrity and Security Review\nprovided management with ten recommendations to address weaknesses in\nvarious blank passport production business processes, to include missing critical\ncore competencies, deficient processes, infrastructure issues, and other aspects of\nthe entire Passport Program. Much action is in process, and will continue, so that\nall recommendations can be closed as soon as practical.\n\nFinal actions to close out the remaining recommendations are not imminent\nbecause of the extensive time and effort required to make the requisite changes to\ncurrent operations. For example, the OIG recommended that GPO should become\nISO 9000-certified as it implements the ISO 9000 best practices for manu-\nfacturing security and intelligent documents. We acknowledge the importance of\nthis certification, but it is critical to first subject existing processes to analysis,\nevaluation, and measurement prior to embarking on a procedural-based certi-\nfication. To this end, GPO\'s Plant Operations has started to train some employees\nin the Six Sigma methodology, which is a measurement-based strategy focusing\non process improvement. This strategy will take considerable time to implement,\nand we are only in the early stages.\n\nManagement has concurred with the basic tenets within all ofthe OIG\'s\nrecommendations. However, we do not anticipate closure of many of these\nrecommendations until several more semiannual reporting periods. In the interim,\n\x0cThe Honorable Trent Lott - Page 5\n\n\nwe will continue to make progress and keep the OIG apprised on the current\nstatus of actions taken on each recommendation.\n\n       Financial Statement Audit - KPMG Recommendations\n\nKPMG, LLP, subsequent to its 2005 Financial Statement Audit of GPO\'s\nfinancial statements, issued a management report containing twelve\nrecommendations about GPO\'s Information Technology security program.\nFindings addressed the following areas: security program planning and\nmanagement, access controls, application software development and change\ncontrol, system software controls, and service continuity. GPO has continued to\ntake action to address all of these recommendations. At the end of this reporting\nperiod, action has been completed to close out two recommendations, while\nadditional action is planned to complete three other recommendations by\nSeptember 30, 2006. For the remaining recommendations, appropriate action is\nbeing planned or already underway, but no detinitive time has been set for final\ncompletion.\n\nDuring this reporting. GPO has adjusted mainframe password configuration to\nrequire the use of a combination of letters, numbers and special characters to\nenhance security and accessibility to GPO\'s computer environment. In addition,\ncontrols have been established to ensure only authorized programs and\nmodifications are implemented by implementing the System Development Life\nCycle (SDLC) methodology. Checklists have been used and posted on our\nConfiguration Management\'s (eM) website as documentation that controls have\nbeen implemented. CM is integral to all phases of a project or system life cycle.\nIt is unique in its focus on controlling outcomes and makes sure these engines of\nefficiency are marshaled together to produce the right product. It also controls\nchange, making sure that its impact is assessed and that every effort is made to\nprevent erosion of product functionality or safety.\n\nStatistical Tables\n\nStatistical tables as required by law are enclosed.\n\x0cThe Honorable Trent Lott - Page 6\n\n\nIf you need additional information with respect to this report, please do not\nhesitate to contact Mr. Andrew M. Shennan, Director of Congressional Relations,\non 202-512-1991, or bye-mail at ashennan@gpo.gov.\n\n\n\n\nPublic Printer\n\nEnclosures\n\ncc:    The Honorable Vernon Ehlers, Vice Chairman\n       The Honorable Thad Cochran\n       The Honorable Saxby Chambliss\n       The Honorable Mark Dayton\n       The Honorable Daniel K. Inouye\n       The Honorable John T. Doolittle\n       The Honorable Thomas M. Reynolds\n       The Honorable Juanita Millender-McDonald\n       The Honorable Robert A. Brady\n\x0c'